"There are definitely some groups that are using AI to aid with the development of ransomware and malware modules, but as far as Recorded Future can tell, most aren't," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. "Where we do see more AI being used widely is in initial access."
The PromptLock malware uses Open AI's gpt-oss-20b model, which is one of the two free open-weight models the company released earlier this month. It runs locally on an infected device through the Ollama API, and it generates malicious Lua scripts on the fly, likely to make detection more difficult. "PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption," the researchers explained, adding that the Lua scripts work on Windows, Linux, and macOS machines.